About MITRE ATT&CK Framework
MITRE’s ATT&CK Framework is defined as globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. This framework describes how attackers penetrate networks and then move laterally, escalate privileges, create a persistent state, or generally evade your defenses. ATT&CK looks at the “problem” from the perspective of the attacker, helping cybersecurity professionals determine what goals the attacker is aiming to achieve and what methods the attacker will use to achieve their goals. The framework organizes attacker behaviors into a series of tactics, specific technical objectives that an attacker wants to achieve. For example, an attacker may perform lateral movement to move to a different part of the network where the specific data they are looking for is waiting to be exfiltrated.
Within each tactic category ATT&CK defines a series of techniques. Each technique describes one way an attacker may attempt to achieve their objective. Each tactic contains multiple techniques because different attackers may deploy different attack methodologies based on their own knowledge or circumstance (availability of tools, system configuration, etc.). Each technique defined in ATT&CK includes a description of the method deployed by the attacker, the systems, or platforms the methodologies apply to, and, where known, which attackers or attack groups have been associated with the defined technique. Techniques also provide the process by which the SOC team can mitigate attacker behavior along with any published references to the technique being deployed.